There is a growing importance placed on detection technologies in both threat research and damage mitigation. In every war, intelligence is of the utmost importance for deployment of resources and exploitation of an adversary. The cyber battlefield is no different, as discovery and understanding of the enemies’ avenue for attack is the best method for preventing damage to an organisation.
The adversary is also changing, from opportunistic broad-spectrum attacks to more targeted, developed threats.
In the cybersecurity arena, forensic analysis is the process of deconstructing an attack’s exploitation, transmission vector and payload to determine exactly how and, if possible, why a system was compromised. It is important for evaluating a networks’ vulnerability, creating defences against attacks, as well as predicting how potential attacks may operate.
What is a honeypot?
A ‘honeypot’ in cybersecurity describes an apparently vulnerable network device with the capacity to covertly monitor and record attacks against it. The honeypot is set up to appear enticing and legitimate to an attacker, without actually compromising important data if attacked.
What is its purpose?
A honeypot can capture the attack methodology, attack signature, information on targeted systems, network vulnerabilities and, potentially, information on the attacker. This intelligence allows the cybersecurity industry to be more adept at detection of current attacks and prevention of future attacks. Attack signatures can be added to intrusion databases, a methodology can be dissected and understood in order to develop defence strategies, and vulnerabilities can be exposed and patched before they can be exploited. A greater understanding of a cyber adversary is also integral to the ability of the cybersecurity industry to evolve and adapt.
Awareness of the motives of attackers creates a great advantage for security professionals to predict how the cyber threat landscape is developing, and allow for pre-emptive countermeasures to be deployed.
Malicious actors are aware of the existence and purpose of honeypots and are constantly wary of being trapped. Therefore, effective honeypot deployment involves making the device look as real as possible. This includes protecting the device with proper security technology and having the device retain data and traffic that appears legitimate. However, in order to protect legitimate data, these honeypots are often located outside of the company’s secure network, in a fake network or ‘Demilitarised Zone’ (DMZ).
Honeypots in Active Defence
Honeypots are increasingly being adopted by operators who are seeking to strengthen their cybersecurity regime using countermeasure technology. The devices provide the opportunity to observe the actions of an attacker and build an understanding of the tactics, techniques and procedure being used against systems or facilities. A well-implemented honeypot deployment can provide the following:
- Highlight risks and assess the seriousness of a threat.
- Provide impact assessments based on the observations of the activities of the threat.
- Direct further investigative activities and allow for incident response planning.
- Deliver specific Threat Intelligence to the organisation.
- Act as a decoy to bolster defence systems.
Future Use of Honeypots
ICS systems will continue to be attacked, with potentially greater success, as new tools and easily accessible information becomes more widely available.
This will allow the technical knowledge, sophistication and new methodologies for attacks to develop over time. Honeypots are a useful tool that can indicate malicious intent and methodologies to provide operators with the intelligence required to build a or strengthen the security posture of an organisation.